5 Tips for Skype for Business Modern Authentication Scenarios

The world is adopting multi-factor authentication, and Microsoft is rapidly adding support in their server, services, and clients to support it. Microsoft’s name for multi-factor support is Modern Authentication (MA) and support has been added for Skype for Business Server (SfB), Exchange Server, and more recently, the equivalent online cloud services (Exchange Online and Skype for Business Online).

In practice, with potentially a decade of legacy client versions, and a now matrix of possible SfB and Exchange hybrid topologies, supporting MA for all the users in an enterprise requires some planning.

There is plenty of good documentation about how to enable MA both on-premises and online. This article highlights 5 specific things you’ll want to have answers to before enabling MA in an enterprise.

As we all know, Skype for Business (SfB) is highly integrated (and therefore dependent) on Exchange, which increases the matrix of topology scenarios. MA is not supported in all scenarios of Exchange and SfB MA, or requires special configuration. There is a very good TechNet article which clearly describes what mix of Exchange on-premises, SfB on-premises, Exchange Online, and SFBO topologies support MA:

Exchange Integration and Mobile Clients will not work for SFB on-premises with MA and Exchange on-premises with no MA.

Exchange On-Premises and SFBO with MA is Supported (a common scenario). Azure AD needs to be the identity provider for SFBO, and on-premises AD needs to be the identity provider for Exchange on-premises.

Multiple Prompts for Users: the TechNet article referenced above calls out an important point that will happen if MA is not enabled equally across all the server resource the SfB clients are using (e.g. the related Exchange resources):

“It’s very important to note that users may see multiple prompts in some cases, notably where the MA state is not the same across all the server resources that clients may need and request, as is the case with all versions of the Mixed topologies. Also note that in some cases (Mixed 1, 3, and 5 specifically) an AllowADALForNonLynIndependentOfLync registry key must be set for proper configuration for Windows Desktop Clients“

2. Plan for Client Support

If SfB has been used in an organization for several years, there are likely a wide variety of clients out in the wild such as older Lync clients on unmanaged devices, Office 2013 and Office 2016 clients, and mix of mobile Android, iOS, and Windows Phone versions.

A summary of the various client applications and the associated modern authentication support for Office 365 is available here: Updated Office 365 modern authentication. In a nutshell, any Skype for Business client version that is not part of Office 2016 (or later) will not have built in support for Modern Authentication.

For the Skype for Business client specifically, here is a summary of that support:

iOS – yes, but watch the caveat if you are in a SfB hybrid shared namespace scenario (see below)

Android – yes, but watch the caveat if you are in a SfB hybrid shared namespace scenario (see below)

Windows Phone – not supported yet

The supported client list is similar for Skype for Business Server on-premises

3. App Passwords can be used for Legacy Skype for Business and Lync Clients using Office 365

There is another option for legacy non-MA clients (e.g. Office 2013) clienst This is a somewhat cumbersome option for end users, but a viable option for those users that require legacy clients (client versions that do not natively support MA such as Microsoft Lync and Skype for Business client in Office 2013).

The App Password option involves the end user signing into the Office 365 portal and creating a special app password that is used in legacy clients and bypasses MA. The big drawbacks are that the app password is yet another password the user needs to have available and ready to use. It is auto-generated and difficult to enter on a mobile device.

One major limitation to be aware of is that this option is not available in hybrid as described here :

App passwords don’t work in hybrid environments where clients communicate with both on-premises and cloud autodiscover endpoints. Domain passwords are required to authenticate on-premises. App passwords are required to authenticate with the cloud.

4. Mobile Clients will not Work if MA is Enabled for SfB Server On-Premises and SfB Online in Hybrid

Modern Authentication for mobile clients is not yet supported in the following deployment topologies:

Exchange Online with Modern Authentication turned on and Skype for Business on-premises without Modern Authentication turned on.

Skype for Business Server 2015 and Skype for Business Online in a split domain hybrid configuration (for example, SharedSIPAddressSpace = true) with Modern Authentication turned on for both Skype for Business Server and Skype for Business Online

5. Update those Mobile Clients

Even with supported MA topologies, I’ve seen mobile clients have sign-in problems after MA has been enabled. Several times updating the mobile client – specially iOS – the latest-and-greatest as solved the issue. There are also mobile client side logs which can be useful in tracking down MA sign-in problems.

For example, one user could not sign in with MFA for the iOS Skype for Business client version 6.10.1.0. Upgrading to 6.17.3 (released Nov 15, 2017) worked.

Hi Curtis- great summary. What do you make of these 2 seemingly contradictory statements in the MSFT docs for modern auth for SfB server 2015….
In one of the articles you ref’ed – How to use Modern Authentication (ADAL) – it says “t isn’t possible to use Passive Authentication for a Pool and also use ADAL. You must disable Passive Authentication in order to use ADAL.”. Then there is an article for further info “Manage two-factor auth” (on menu left side of page) which has a sub-article when you click the title called “Configure two-factor auth”- that says “The following section describes how to configure Skype for Business Server 2015 to support passive authentication. Once enabled, users who are enabled for two-factor authentication will be required to use a physical or virtual smart card and a valid PIN to sign in”.
So the first article about Modern Auth, which is the technology that provides suport for multi-factor auth, says to disable Passive auth. The second article seems to say the opposite- enable Passive auth for two-factor auth. Which is it – enable or disable… or is there some difference in the scenarios that’s not described fully?

Either way you want to disable Passive Authentication. It is the old method SfB achieved two factor authentication.

Modern Authentication (MA) for SfB Server was first shipped in March 2016 and leveraged ADFS. This was meant to replace passive authentication (and had big limitations such as only the Windows Desktop client was supported, no Exchange integration via EWS, etc…). That first article describes configuring this setup, so it says to disable passive auth. And you still would do this if you were using MA with ADFS.

The new hybrid Modern Auth that was released in Dec 2017 uses Azure AD (AAD) and not ADFS. It allows MA in SfB and Exchange server, more clients, and supports O365 muti-factor authentication, etc… Passive authentication is still disabled for this Modern Authentication.

The second article just documents the old way of doing 2FA which did use Passive Authentication (e.g. leveraging Smart Cards).

Legal

The posts and information on this blog are provided "as is" with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer or anyone else for that matter. All trademarks acknowledged. Copyright 2013 Curtis Johnstone.